We're a very small ISP with one PoP that is getting an ASR-1002X to replace an aging 7206 w/NPE-G2.
I'm trying to wrap my head around how to achieve some separation between management access and customer traffic. We're basically self-contained in one cabinet at a colo facility, and the only existing "management" network is just a dumb switch connected to the internal interfaces of all the servers - this is used for backend db access, backups, and other "management" tasks, but it is totally isolated from the larger internet. The VXR currently does not even have an interface on that network. Our current protection is simply a bunch of ACLs to restrict snmp/ssh to a handful of IPs (admin workstations, monitoring server).
On running through the initial setup of the ASR1K, I noticed that it has a dedicated management interface and that a VRF instance is setup and this interface is placed in that VRF. That is I assume what's noted in this document:
In a small deployment where we don't have a full-on management network, does it make any sense to do anything beyond the recommendations in the second link (ACL management protocols, ACL the control plane, and rate-limit things as appropriate)?
I feel like putting that management interface and a VRF on our current internal network doesn't give me a big win and it makes things all the more fragile/complicated when something goes awry and I need to reach the router.
Any opinions on that?
Lastly, is the Best Practices guide I linked to above current enough? It was published in 2011, not sure if later versions of IOS introduce any new features that would obsolete that document.
When the new ASR is installed, will it be possible for a hacker to attack your network through this device? If the answer is yes then they could do a significant amount of damage to both your company and your customers.
Therefore I would suggest as an alternative that you install a small ASA firewall between this router and your internal network. They offer a major stronger form of defence than router ACLs and management VRFs.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...